Re: [Freeipa-users] Replace Self-Signed Cert
Thanks for all the info. I think I will wait for the 4.1 update. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Tuesday, October 14, 2014 9:43 AM To: quest monger; d...@redhat.com Cc: FreeIPA Subject: Re: [Freeipa-users] Replace Self-Signed Cert quest monger wrote: makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. IPA 3.x includes a command, ipa-server-certinstall, which will do what you need. This can be a bumpy process with clients and such which is why Dmitri suggested using 4.1, but it should still basically work. It depends greatly on whether the CA issuing the certs is already known by clients (for example being a default CA shipped by NSS and openssl). But I'd step cautiously and ask a lot of questions before you proceed. The IPA certificates are not self-signed. They are issued by a CA controlled by IPA. I think your admin's concerns are related to users getting an unknown CA/cert error. It can be confusing and can train users to accept any SSL certificate they see which is bad. There are some downsides to not using the IPA CA: - no automatic renewal of certificates. This means you need to manually monitor your infrastructure and renew the certificates before they expire. Otherwise your identity infrastructure could go down. - for every replica you set up you will need to get a web and ldap certificate in advance rob On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com mailto:quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate
Re: [Freeipa-users] Replace Self-Signed Cert
quest monger wrote: makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. IPA 3.x includes a command, ipa-server-certinstall, which will do what you need. This can be a bumpy process with clients and such which is why Dmitri suggested using 4.1, but it should still basically work. It depends greatly on whether the CA issuing the certs is already known by clients (for example being a default CA shipped by NSS and openssl). But I'd step cautiously and ask a lot of questions before you proceed. The IPA certificates are not self-signed. They are issued by a CA controlled by IPA. I think your admin's concerns are related to users getting an unknown CA/cert error. It can be confusing and can train users to accept any SSL certificate they see which is bad. There are some downsides to not using the IPA CA: - no automatic renewal of certificates. This means you need to manually monitor your infrastructure and renew the certificates before they expire. Otherwise your identity infrastructure could go down. - for every replica you set up you will need to get a web and ldap certificate in advance rob On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com mailto:quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering
[Freeipa-users] Replace Self-Signed Cert
Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
Hi there, My understanding is the only way to install a third party cert is to start from scratch. The part that is unclear to me is if there is a method of exporting the data prior to, and importing the data after the fresh instance of freeipa has been installed. I assume that one would also have to re-install all clients utilizing freeipa. Thanks, Bill On Mon Oct 13 15:45:05 2014, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com mailto:quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replace Self-Signed Cert
makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project